587 matches found
GHSA-W9WP-H8WV-79JX vulnerabilities
Vulnerabilities for packages: deno, parseable...
CVE-2026-48504 vulnerabilities
Vulnerabilities for packages: deno, parseable...
GHSA-W9WP-H8WV-79JX vulnerabilities
Vulnerabilities for packages: deno, parseable...
CVE-2026-48504 vulnerabilities
Vulnerabilities for packages: deno, parseable...
CVE-2026-55517
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response...
CVE-2026-49983
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot...
CVE-2026-49860
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially...
CVE-2026-49859
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name...
CVE-2026-49406
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.12, when Deno was run in BYONM mode nodeModulesDir: "manual", the module resolver did not validate that a package's resolved entrypoint stayed within its nodemodules// directory. A malicious package.json whose main field...
CVE-2026-49411
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.0, the Node.js compatibility TCP path checked the permission against the original hostname string before resolution and then did not re-check after resolution. A caller could therefore pass a numeric alias of an IP address fo...
CVE-2026-49440
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, node:crypto.checkPrimecandidate, options, callback and crypto.checkPrimeSynccandidate, options ran no Miller-Rabin rounds at all when the caller left options.checks at its default of 0. In that mode, the only test applied ...
CVE-2026-49401
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done...
CVE-2026-49402
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.e...
CVE-2026-44726
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When autoSelectFamily was enabled and the first address-family attempt...
CVE-2026-55517 Deno: Denial of service via non-ASCII bytes in WebSocket response headers
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response...
CVE-2026-55517
CVE-2026-55517 affects Deno prior to 2.7.5, where a client WebSocket handshake could crash the process if the server returned non-ASCII bytes in Sec-WebSocket-Protocol or Sec-WebSocket-Extensions headers. The root cause is parsing those headers as ASCII strings, triggering a panic when non-printa...
CVE-2026-44726 Deno: TLS retry copies stale upgrade hook, risking plaintext traffic
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When autoSelectFamily was enabled and the first address-family attempt...
CVE-2026-44726
Summary: CVE-2026-44726 affects Deno up to 2.7.7, where a flaw in Deno’s Node.js TLS compatibility layer can cause plaintext data to be sent after a connection retry when autoSelectFamily is enabled. The root cause is that the socket reinitialization path reuses a stale TLS upgrade hook tied to t...
CVE-2026-44726 Deno: TLS retry copies stale upgrade hook, risking plaintext traffic
Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When autoSelectFamily was enabled and the first address-family attempt...
CVE-2026-49401 Deno Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done...